From 948abb7a43def96eb24d8e26911658b0f8ec544a Mon Sep 17 00:00:00 2001 From: Ruth Fuchss Date: Mon, 18 Sep 2023 11:54:43 +0200 Subject: [PATCH] doc/networking/firewall: add more restrictive UFW rules Add an example for more restrictive firewall rules. Closes #11824 Signed-off-by: Ruth Fuchss --- doc/howto/network_bridge_firewalld.md | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/doc/howto/network_bridge_firewalld.md b/doc/howto/network_bridge_firewalld.md index e53e5fd9029d..2e55a0a682ba 100644 --- a/doc/howto/network_bridge_firewalld.md +++ b/doc/howto/network_bridge_firewalld.md @@ -67,14 +67,12 @@ For example: sudo firewall-cmd --zone=trusted --change-interface=lxdbr0 --permanent sudo firewall-cmd --reload - - ```{warning} + The commands given above show a simple example configuration. Depending on your use case, you might need more advanced rules and the example configuration might inadvertently introduce a security risk. -``` - +``` ### UFW: Add rules for the bridge @@ -93,12 +91,28 @@ For example: sudo ufw route allow in on lxdbr0 sudo ufw route allow out on lxdbr0 +````{warning} % Repeat warning from above ```{include} network_bridge_firewalld.md :start-after: :end-before: ``` +Here's an example for more restrictive firewall rules that limit access from the guests to the host to only DHCP and DNS and allow all outbound connections from IPv4 hosts: + +``` +# allow the guest to get an IP from the LXD host +sudo ufw allow in on lxdbr0 to any port 67 proto udp + +# allow the guest to resolve host names from the LXD host +sudo ufw allow in on lxdbr0 to any port 53 + +# allow the guest to have access to outbound connections +# determine with: lxc network list | grep lxdbr0 +sudo ufw route allow in on lxdbr0 from +``` +```` + (network-lxd-docker)= ## Prevent connectivity issues with LXD and Docker